HOME
NEWS

New OpenSea attack led to theft of millions of dollars in NFTs


By VARINDIA - 2022-02-21
New OpenSea attack led to theft of millions of dollars in NFTs

A few days ago, OpenSea published an article about the contract migration they are planning.

Graphical user interface, text, application Description automatically generated

 

The idea behind the OpenSea migration is to address the existing inactive listings of old NFT’s, and in order to do that, they are planning to upgrade to a new contract. All users will be required to “migrate” their listings on Ethereum to the new smart contract.

They also sent instructions, which can be found here:

https://support.opensea.io/hc/en-us/articles/4433163594643-Smart-Contract-Upgrade-How-to-Migrate-Your-Item-Listings

Some hackers took advantage of the upgrade process and decided to scam NFT users by using the same email from OpenSea and resending it to the OpenSea victims:

 

 

Pressing on the link would navigate the users to a phishing website which would ask the users to sign a transaction that looks like the transaction from the OpenSea blog:

 

 

Original transaction

Malicious Transaction

 

 

 

 

 

By signing the transaction, an atomicMatch_ request would be sent to the attacker contract, which he created a month ago prior to the attack. (https://etherscan.io/address/0xa2c0946ad444dccf990394c5cbe019a858a945bd):

 

 

From there, the atomicMatch_ would be forwarded to the OpenSea contract. atomicMath in OpenSea is responsible for all the Trading on OpenSea with minimal trust. Atomic means that the transaction will only take place if all the parameters of the transaction are met. And this is how all the NFTs are moving around accounts at OpenSea.

 

This is why the attacker decided to use the atomicMatch to steal the victim NFTS because this kind of request is capable of stealing all victim NFTS in one transaction.

The flow of the attack looks as follows:

  1. Victim clicks on a malicious link from the phishing email
  2. The link opens a phishing website and asks the victim to sign a transaction.
  3. By signing the transaction an atomicMatch_ request would be sent to 0xa2c0946ad444dccf990394c5cbe019a858a945bd (attacker contract).
  4. Attacker than forward the request to atomicMath at 0x7be8076f4ea4a4ad08075c2508e481d6c946d12b (OpenSea contract)
  5. OpenSea Contract verifies all the parameters of the deal and executes the transaction because everything is signed by the victim and approved.
  6. OpenSea contract communicate with the NFT contracts and transfer the NFT from the victim to the attacker according to the atomicMatch parameters.

The whole process looks like that:

What is even more interesting here is that the attacker executes a dry run before the attack. He tries to execute an atomicMatch to OpenSea and verifies his attack.

As can be seen in the following screenshot:

 

From the transactions in the attacker account, Check Point Research can see that the wallet has over 2 million dollars worth of Ethereum from selling some of the stolen NFTs.

https://etherscan.io/address/0x3e0defb880cd8e163bad68abe66437f99a7a8a74#internaltx

 

How to stay safe?

  1. Many websites and projects request a permanent access to your NFT’s by sending you a transaction to sign. This transaction will give the websites/projects access anytime they want to your NFT unless you un-approve the transaction at the following link - https://etherscan.io/tokenapprovalchecker.

 

  1. Signing a transaction is similar to giving someone permission to access all your NFT’s and cryptocurrencies. This is why signing is very dangerous. Pay extra attention to where and when you sign a transaction.

 

  1. Phishing emails may be tricky. We don’t recommend clicking on links from emails no matter who is the sender, always try to find the same information on the website provider.

See What’s Next in Tech With the Fast Forward Newsletter

SECURITY
View All
Zscaler announces AI innovations to its Data Protection Platform
Technology

Zscaler announces AI innovations to its Data Protection Platform

by VARINDIA 2024-05-20
SHIELD to enhance Swiggy’s fraud prevention and detection capabilities
Technology

SHIELD to enhance Swiggy’s fraud prevention and detection capabilities

by VARINDIA 2024-05-20
Axis Communications announces its first thermometric camera designed for Zone/Division 2
Technology

Axis Communications announces its first thermometric camera designed for Zone/Division 2

by VARINDIA 2024-05-20
SOFTWARE
View All
Hitachi Vantara and Veeam announce Global Strategic Alliance
Technology

Hitachi Vantara and Veeam announce Global Strategic Alliance

by VARINDIA 2024-05-16
Adobe launches Acrobat AI Assistant for the Enterprise
Technology

Adobe launches Acrobat AI Assistant for the Enterprise

by VARINDIA 2024-05-11
Oracle Database 23ai offers the power of AI to Enterprise Data and Applications
Technology

Oracle Database 23ai offers the power of AI to Enterprise Data and Applications

by VARINDIA 2024-05-10
START - UP
View All
Data Subject Access Request is an integrated module within ID-REDACT®
Technology

Data Subject Access Request is an integrated module within ID-REDACT®

by VARINDIA 2024-04-30
SiMa.ai Secures $70M Funds from Maverick Capital
Technology

SiMa.ai Secures $70M Funds from Maverick Capital

by VARINDIA 2024-04-05
Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure
Technology

Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure

by VARINDIA 2024-02-08

Tweets From @varindiamag

CIO - SPEAK
Automation has the potential to greatly improve efficiency and production

Automation has the potential to greatly improve efficiency and production

by VARINDIA
Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

by VARINDIA
Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

by VARINDIA
Start-Up and Unicorn Ecosystem
GoDaddy harnesses AI power for new domain name recommendations

GoDaddy harnesses AI power for new domain name recommendations

by VARINDIA
UAE’s du Telecom selects STL as a strategic fibre partner

UAE’s du Telecom selects STL as a strategic fibre partner

by VARINDIA
JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

by VARINDIA
Rapyder partners with AWS to accelerate Generative AI led innovation

Rapyder partners with AWS to accelerate Generative AI led innovation

by VARINDIA
ManageEngine integrates its SIEM solution with Constella Intelligence

ManageEngine integrates its SIEM solution with Constella Intelligence

by VARINDIA
Elastic replaces traditional SIEM game with AI-driven security analytics

Elastic replaces traditional SIEM game with AI-driven security analytics

by VARINDIA
Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

by VARINDIA
Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

by VARINDIA
Dassault Systèmes to accelerate EV charging infrastructure development in India

Dassault Systèmes to accelerate EV charging infrastructure development in India

by VARINDIA
Tech Mahindra and Atento to deliver GenAI powered business transformation services

Tech Mahindra and Atento to deliver GenAI powered business transformation services

by VARINDIA